On Fri, 22 Jun 2012 20:52, ved...@nym.hush.com said: > Am somewhat surprised by the unprovoked V3 rants, when I asked for > nothing from anyone, and only thanked WK for allowing it to happen.
I am telling for more than a decade that PGP 2 should not be used anymore. The rationale for this was that OpenPGP is a standard and fixes great many problems of PGP 2. GnuPG supports PGP 2 only because this provides a way to migrate away from PGP 2. But: We are now in 2012 - 20 years after PGP 2. A few years later it was obvious that MD5 is broken in practice. I can't understand anyone suggesting to use PGP2. I have heard of people keep on using and suggesting >=4k keys but still being bounded to the broken MD5 and the flawed PGP public key packet and protection. This is plain stupid. The RNG in PGP2 is also questionable because it has not been designed to cope with modern OSes. Mouse and keyboard interrupts are not anymore a good source of entropy - they are not traight hardware interrupts as they used to be on MSDOS or early BSDs. Now some claim that PGP 2 is better because it is so easy to audit the code. Okay, that might be the case for the PGP 2 source. However, who is going to audit the libc, WM (note keyboard interrupts!), kernel, msvc, gcc or hypervisor code. That is far more complex than PGP 2. If I had to write malware I would never directly attack PGP or GPG but go for other components (D-Bus services anyone?). Subvert the most invisible part of the system and not what script kiddies will do. Shalom-Salam, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. _______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
